[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
- To: Nikos Voutsinas <nvoutsin@gmail.com>
- Subject: Re: back_ldap / TLS Issues with OPENLDAP_REL_ENG_2_4_48
- From: Ondřej Kuzník <ondra@mistotebe.net>
- Date: Sat, 20 Jul 2019 13:41:50 +0200
- Cc: openldap-devel@openldap.org
- Content-disposition: inline
- In-reply-to: <CAJoHRijg72LHC5EQT0p=ppyykvd69ik-8Ons0fdd3e7fRp1R5Q@mail.gmail.com>
- References: <CAJoHRijg72LHC5EQT0p=ppyykvd69ik-8Ons0fdd3e7fRp1R5Q@mail.gmail.com>
- User-agent: NeoMutt/20170113 (1.7.2)
On Sat, Jul 20, 2019 at 09:25:17AM +0300, Nikos Voutsinas wrote:
> Hi all,
>
> In the view of the new openldap release, I ran some tests by using the
> current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my
> findings It seems that this build breaks the back_ldap backend when it is
> used with a remote ldaps:/// server.
>
> In particular, the following snippet of proxy bind configuration, which
> works on the same system, with the same remote ldaps:/// server /
> certificate and the 2.4.47 release, fails with the engineering release of
> 2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap
> was compiled with the Debian's gnu TLS libs. Based on my previous
> experience I would have bet that this is a GNU TLS issue, however this
> seems to be a different case considering that the error happens only with
> the switch from the 2.4.47 to 2.4.48. Could this be another side effect of
> the related to ITS#8427 fixes?
>
> dn: olcDatabase={3}ldap,cn=config
> changetype: add
> objectClass: olcDatabaseConfig
> objectClass: olcLDAPConfig
> olcDatabase: {3}ldap
> olcAccess: to * by * manage
> olcSuffix: cn=authn
> olcRootDN: cn=admin,cn=authn
> olcRootPW: {SSHA}<REMOVED>
> olcDbURI: ldaps://remote-authn.acme.foo:636
>
> The debug output shows the following:
>
> TLS: peer cert untrusted or revoked (0x42)
> TLS: can't connect: (unknown error code).
Hi Nikos,
where/how do you set the CA certificates that slapd should trust?
Thanks,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP